From memory, having read Pynchon's Gravity's Rainbow in the 1970s, and not since:
"It's colder than the nipple on a witch's tit, It's colder than a bucket of penguin shit, It's colder than a pimple on a polar bear's ass, And it's colder than the frost on a champagne glass."
I recall that when the ATA security features were added to the ATA standard, it included the Security Freeze command. The command disables access to the security features -- passwords and data security erasure -- until the drive is power cycled. The intent is to disable attacks on ATA security from within a compromized OS.
Normal operations allow ATA security commands -- setting passwords, conducting erasure -- to be executed by the operator from within the BIOS console prior to boot. And such BIOS features are commonly available on laptops.
It is my understanding that modern OSes which are follow the ATA standards will issue the security freeze during hardware probe. At least, my *BSD systems do, and I've seen indications that even Windows does.
I don't disagree regarding impossibility. Several of my employers over the years have chosen to use electronic tokens as the "something you have" precisely because their ever-changing values synced to a token server make them more difficult to forge. For my own servers, I eliminate password authentication wherever possible and use either public key authentication, or S/Key one-time-passphrase-pads when PKA is impractical.
Systems that accept password authentication need to prevent brute force attack, through state table management, programmatic log management, or other means of stopping brute force attacks before they succeed. An 8-byte random ASCII password on an http or ssh server that permits unlimited attempts and reconnects can be broken by a script kiddie in a weekend, without much effort.
Passwords are generally considered to be poor authentication methods, when used alone. Strong or weak, password authentication can be attacked by brute force or by social engineering. Post-it Notes (TM) stuck to monitors are not even necessary.:)
------------
The generally accepted commercial practice for remote authentication is two use two methods to authenticate: something you have, and something you know. Example: your bank card (have) and it's passcode (know).
Other "Have" examples: electronic token, public key, biometric
Other "Know" examples: passcode, password, passphrase
BDM could mean BDM International, now part of TRW, or, it could mean "Base Defense Measure" or "Bomber Defense Missile" or perhaps "Banking and Debt Management."
Years ago, I had a boss who asked me to remove my facial hair. He said, "I don't like beards or mustaches."
My reply, "But boss, *you* have a mustache!"
He said, "So? I just don't like 'em on other people."
Slashdot Mirror
MACNAM unhappy.
From memory, having read Pynchon's Gravity's Rainbow in the 1970s, and not since:
BSD is not Linux.
I recall that when the ATA security features were added to the ATA standard, it included the Security Freeze command. The command disables access to the security features -- passwords and data security erasure -- until the drive is power cycled. The intent is to disable attacks on ATA security from within a compromized OS.
Normal operations allow ATA security commands -- setting passwords, conducting erasure -- to be executed by the operator from within the BIOS console prior to boot. And such BIOS features are commonly available on laptops.
It is my understanding that modern OSes which are follow the ATA standards will issue the security freeze during hardware probe. At least, my *BSD systems do, and I've seen indications that even Windows does.
I can just see the ad campaign comparing Blood-Lite to Killer-Lite.
"Tases Great!"
"Less Spilling!"
Toshiro Mifune: B: 1/4/20 D: 24/12/97
John Belushi: B: 1/24/49 D: 3/5/82
Yes, something like that.
I don't disagree regarding impossibility. Several of my employers over the years have chosen to use electronic tokens as the "something you have" precisely because their ever-changing values synced to a token server make them more difficult to forge. For my own servers, I eliminate password authentication wherever possible and use either public key authentication, or S/Key one-time-passphrase-pads when PKA is impractical.
Systems that accept password authentication need to prevent brute force attack, through state table management, programmatic log management, or other means of stopping brute force attacks before they succeed. An 8-byte random ASCII password on an http or ssh server that permits unlimited attempts and reconnects can be broken by a script kiddie in a weekend, without much effort.
Passwords are generally considered to be poor authentication methods, when used alone. Strong or weak, password authentication can be attacked by brute force or by social engineering. Post-it Notes (TM) stuck to monitors are not even necessary. :)
------------
The generally accepted commercial practice for remote authentication is two use two methods to authenticate: something you have, and something you know. Example: your bank card (have) and it's passcode (know).
Other "Have" examples: electronic token, public key, biometric
Other "Know" examples: passcode, password, passphrase
Thank you, Michael, for that link to your article. Both interesting and insightful.
BDM could mean BDM International, now part of TRW, or, it could mean "Base Defense Measure" or "Bomber Defense Missile" or perhaps "Banking and Debt Management."
Perhaps you're thinking of another OS? Polipo 0.9.9 was added to the tree on 24 September 2005.
Years ago, I had a boss who asked me to remove my facial hair. He said, "I don't like beards or mustaches." My reply, "But boss, *you* have a mustache!" He said, "So? I just don't like 'em on other people."
Yes, they were using "fat pipe" connections between Wellington and London during ROTK post-processing.
I do not understand what cost savings Netflix would achieve by this reduction in service.